Follina: A Widely Exploited Zero-Day Microsoft Vulnerability

Follina: A Widely Exploited Zero-Day Microsoft Vulnerability

Researchers Spot a new Microsoft Office Zero-Day Exploit in the wild. It is a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.

This vulnerability is tracked as CVE-2022-30190-Microsoft Support Diagnostic Tool (MSDT) Vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights.

The vulnerability was discovered by an independent cybersecurity research team named nao_sec.

Why Named Follina?

The InfoSec community refers to this vulnerability as ‘Follina’. The vulnerability was dubbed “Follina” by security researchers when they discovered a sample of an infected Word DOC file with the name 05-2022-0438.doc on VirusTotal from an IP address in Belarus. The numeric sequence 05-2022 (May 2022) appears to be self-evident, but what about the reference 0438? It’s the dialling code for Follina, Italy’s area code. There’s no evidence that the malware originated in that part of the world, or that it has anything to do with this exploit at all.

Affected versions:

• Office 2013 and later versions are impacted by the Follina zero-day vulnerability, according to researchers.
• Some versions of Office included with a Microsoft 365 licence could also be targeted by attackers on both Windows 10 and Windows 11.

How it works?

Basically, the exploit works like this:

• You are opening a booby-trapped DOC file which you might have received by a phishing email.
• The download document refers to https: URLs 
• This https: URL refers to a remote HTML file which contains weird JavaScript code.
• This JavaScript refers to a URL with an unusual identifier ms-msdt: instead of https:.
• Under Windows, ms-msdt: is a proprietary URL type which launches the MSDT software toolkit.
• MSDT is a shortcut for Microsoft Support Diagnostic Tool.
• The command line provided to MSDT via the URL causes it to run untrusted code.

When invoked, the malicious program ms-msdt: link triggers an MSDT command with command line arguments like this: msdt /id pcwdiagnostic ….

If run manually, without any other parameters, it automatically loads MSDT and calls the Troubleshooter for program compatibility which looks innocent enough, like this:

In the above image, we have used Kali as an Attacker Machine (On the Left-Hand side) and Windows Machine as a victim (On the Right Hand Side).

Once the malicious DOC file is opened, it opens MSDT and we have kept a CALC application to get validation that the script actually worked. Also on the Kali Machine, you can see that the requests are received on the Attacker Machine.

From there, you can choose an app to troubleshoot; you can answer a bunch of support-related questions; you can perform various automated tests on the application; and if you’re still stuck, you can choose to report the problem to Microsoft, simultaneously downloading various troubleshooting data.

Although you probably didn’t expect to be thrown into this PCWDiagnostic utility simply by opening a document, you would at least see a series of pop-up dialog boxes and have the option to choose what to do at each step of the process.

Mitigation

Microsoft has yet not released an update for this, but a temporary workaround has been provided by Microsoft. There are a few things you can do to stop some or all of the “features” used in this type of attack.

1. Unregister the ms-msdt url protocol

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Follow these below steps to disable:

• Run Command Prompt as Administrator.
• To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
• Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

2. Disable preview in Windows Explorer

If you have the preview pane enabled, you can:

• Open File Explorer.
• Click on View Tab.
• Click on Preview Pane to hide it.

How Does SharkStriker Detect and Respond to These Vulnerability

As soon as our Threat Researchers came to know about this Follina vulnerability they made sure that we take all the preventive measures mentioned above with the help of the customer.

Once that was done, we did retrospective threat hunting to make sure there were no such suspicious commands or arbitrary code being executed with Parent Process as a DOC file and child process as msdt.exe which resembled to exploitation of Follina Zero Day Vulnerability.

Parallely, our team also created detection and prevention rules in all our platforms to ensure that any such abnormal activities are detected and prevented directly.

MDR Customers:

• Behavior based detection and prevention rules are being implemented to ensure any such abnormal behavior is detected and prevented immediately.
• Our MDR agent blocks any suspicious commands including msdt and terminates the entire process tree that is initiated with suspicious commands

SharkStriker MDR Agent already blocks this behavior by default

SIEM/SOC Customers:

Behavior-based detection rules are being implemented to ensure any such abnormal behavior is detected immediately.

Retrospective threat hunt was performed by our Threat Hunters on the entire customer base to identify any suspicious activities related to this vulnerability.

Some of the queries to perform detection:

SIEM Query:

• (process.command_line:*WINWORD.EXE* AND process.command_line:*msdt.exe* AND process.command_line:(*sdiagnhost.exe* OR *csc.exe* OR *PCWDiagnostic* OR *IT_ReBrowserForFile* OR *IT_BrowserForFile* OR *conhost.exe*))
• process.command_line:* AND process.name : “msdt.exe”

Windows Event Detection Query:

Event ID = “105” AND Process_name “MSDT.exe”

Microsoft Patches Widely Exploited Follina in its June-2022 Patch Tuesday Updates

Microsoft has fixed the widely-exploited Windows Follina MSDT zero-day vulnerability tracked as CVE-2022-30190 in the June 2022 Patch Tuesday Updates. The update for this vulnerability is in the June 2022 cumulative Windows Updates. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.

Advice to the Customer: Customers are urged to install the latest updates to be fully protected from the associated vulnerability.

For more references: Microsoft Guide